All,
On January 13, 2015, we reached the publication date for the new
CVE-ID syntax. We published 92 new-syntax IDs: 48 with 5 digits, and
44 with 6 digits, which included 70 normal entries and 22 additional
entries with REJECTED or RESERVED status. We published CVE entries
for CVE-2014-10001 through CVE-2014-10039 (with 5-digit sequence
numbers) and CVE-2014-100001 through CVE-2014-100038 (6-digit sequence
numbers).
So far, two months later, we have not seen or received any reports of
any significant errors occurring due to the syntax change. We've seen
some public bug fixes related to ID parsing around the time of the
deadline. We've had feedback that sorting of variable-length IDs is
causing some minor annoyance due to the variable length, although this
was a well-documented and publicly discussed problem when the syntax
was adopted.
We have received, seen, or otherwise become aware of various questions
about the process that we have been following for assigning the new
IDs, so we thought it would be useful to provide more details of what
we did and why.
1. Since there are many different communication channels or processes
that involve the exchange of CVE IDs, and there could be different
ID-processing code for each stream/process, we believed that it was
important to exercise the ID syntax change for these different
channels, so that consumers can verify that their ID syntax changes
have been thoroughly handled.
2. We published valid CVE entries for CVE-2014-10001 through
CVE-2014-10039 (with 5-digit sequence numbers) and CVE-2014-100001
through CVE-2014-100038 (6-digit sequence numbers). This satisfied
the CVENEW and CVE download communication streams. For this set of
IDs, we selected issues that were public in 2014 but had not yet
received a CVE-ID due to prioritization according to our "CVE Data
Sources and Coverage" list [1]. We defined and used a
semi-automated process that randomly determined which issues
received 5- or 6-digit IDs, and which references received the first
valid 5-digit and 6-digit IDs, namely CVE-2014-10001 and
CVE-2014-100001.
3. Since REJECTED or RESERVED IDs are often treated differently from
regular entries, we issued some new-syntax IDs with these
characteristics. The REJECTed IDs include IDs that would normally
be rejected, such as the inadvertent use of multiple 5-digit IDs in
a public advisory during 2014, or their use in the ID-Syntax test
data. The RESERVED IDs will show up in vulnerability advisories in
external data sources, which are also likely to have different
processing code.
4. We chose to include 6-digit IDs in addition to 5-digit IDs for
several reasons. Near the end of 2014, there was evidence that
some implementers were making a 5-digit assumption, or making
other, similarly incorrect assumptions. We wanted to guard against
having a series of tools emerge that might solve "CVE-10K" but
still be subject to a "CVE-100K" problem due to incorrect
implementations.
5. Note that we have exceeded over 9,705 4-digit CVE-2014-xxxx IDs so
far. There is still a gap with the 5-digit CVE-2014-10000 IDs, but
this gap will slowly be closed as additional CVE IDs continue to be
assigned to older issues published in 2014. This gap is for 2014
only, and it is due to our commitment to easing the transition to
the new syntax IDs by releasing other real-world IDs that can
ensure compliance with the new syntax.
Within a matter of weeks, we will have one additional, limited release
of 5-digit and 6-digit IDs, which will be useful for exercising any
functionality that performs change detection. We do not plan to make
any formal announcements when we execute these steps.
After the release of this additional set of 5-digit and 6-digit IDS, we
believe our work regarding the syntax change will be complete, bringing
over 2 years of community discussion and effort to a close.
We hope that this clarifies any questions or concerns that people have
had. MITRE has been committed to making the transition for the new ID
syntax as smooth and transparent as possible, for consumers and
vendors.
As always, we welcome everybody's thoughts and feedback.
- Steve Christey Coley